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(57) Abstract: A system for checking the right to access to sensitive information is described, said checking being based on current 
biometric data of a person whose right to access to the sensitive information is to be checked. The system comprises a data carrier (1) 
and a processing unit (2). The data carrier (1) comprises a memory (6) containing sensitive information, a signal processing means 
(5) and a communication means (3). The processing unit (2) is adapted to receive the current biometric data from the person and 
comprises a memory (10), a signal processing means (7) and a communication means (4). The processor (7) of the processing unit 
(2) preprocesses the current biometric data and transfers the same to the processor (5) of the data carrier (1) via the communication 
means (3, 4). The procesor (5) of the data carrier (1) compares the received preprocessed biometric data with biometric reference 
data stored in advance in the memory (6) of the data carrier (1) to determine whether the right to access to the sensitive information 
exists. A data carrier (1), a processing unit (2) and a method of checking, based on current biometric data of a person, the right to 
access to sensitive information stored on a data carrier (1) are also described. 
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CHECKING OF RIGHT TO ACCESS 

Field of the Invention 

The present invention relates to a system for check- 
ing the right to access to sensitive information, based 
on biometric data, of the type stated in the preamble to 
5 appended claim 1. The invention also relates to a data 

carrier, a processing unit and a method of checking, bas- 
ed on biometric data, the right to access to sensitive 
information stored on a data carrier. 
Background of the Invention 

10 The access to information, to a room or the like 

must in many cases be restricted to certain individuals. 
This is the case, for instance, when electronic money 
transactions occur via the Internet, when in a hospital 
the access to case records is to be limited, or when only 

15 certain individuals in a place of work are allowed to 
have access to certain information or certain rooms. 

To this end, use is often made of what is referred 
to as intelligent cards or smart cards. A smart card can 
be described as a card in the size of an account card 

2 0 which has a built-in processor or a signal processing 

means, a memory and a communication interface. Sensi- 
tive information is stored on all smart cards used in 
the above contexts. The sensitive information consists 
of one or more parts. A first part of the sensitive 
25 information is a so-called template which is stored on 

each smart card and can be described as reference infor- 
mation, stored in advance, about the user of the card. It 
is with this reference information that a comparison is 
made every time the card user wishes to verify his right 

3 0 to use the card. The template is further the only sensi- 

tive information that need be available on the smart card 
if it is intended for use as a pure "key card" and to 
generate a "yes" or "no", for instance, for physical 
access to a room. 
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A second part of the sensitive information is avail- 
able on cards that are not used as 11 key cards" but as 
more absolute information carriers. The second part of 
the sensitive information then consists of computer files 
5 which may contain data of the type which is mentioned by 
way of introduction and which only the card user may 
access. When the card user wants to verify that he has 
the right to access to the sensitive information stored 
in the computer files on the smart card, he places the 

10 card in a terminal and enters a PIN code (PIN = Personal 
Identification Number) . The pin code is limited to 16 
bytes and usually consists of four digits between zero 
and nine which are matched with the template stored on 
the card. If the pin code corresponds with the template, 

15 "the card is unlocked", i.e. the user gains access to the 
computer files containing the sensitive information. This 
differs from the case where the card is used as a pure 
"key card" and only a "yes" or a "no" is generated in 
response to the matching with the template. 

20 Pin codes are presently used in many situations, 

and many people find it difficult to remember a number 
of different pin codes. Therefore, many people choose 
to use the same pin code in a number of different situa- 
tions, thus deteriorating security. For this reason, and 

25 with a view to further increasing security, alternative 
solutions have been presented, in which a user instead 
identifies himself with the aid of biometric information. 
By biometric information is meant information which is 
body-related and individual-specific for the user and 

30 which may consist of, for instance, the pattern of the 
user's fingers, palm, iris, or some other information 
which is not related to appearance, such as the user's 
voice. A method in which a user identifies himself with 
the aid of biometric inf ormation according to prior art 

35 typically proceeds as follows: 

The user places his smart card in a terminal and one 
finger on a sensor which generates a digital image, i.e. 
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a digital representation, of his finger. The digital 
image of the finger proceeds to an external processor, 
for instance a personal computer, where it is preprocess- 
ed. In the preprocessing, the amount of information in 
5 the image is reduced so that, for instance, a binarised 
image or parts of a binarised image are generated. A 
corresponding preprocessed image has been stored on the 
card as a template. The external processor collects the 
template from the card and compares this with the pre- 

10 processed image of the finger. In case of correspondence, 
the external processor transmits a pin code to the card. 
This pin code acts as a key and gives access to the sen- 
sitive information stored in the memory of the card. If 
the template and the preprocessed image information do 

15 not correspond with each other, no pin code is transmit- 
ted and the user cannot access the computer files with 
the sensitive information on the card. 

Even if biometry is used so that the user will not 
need to use a pin code, a pin code is still transmitted 

2 0 at the last stage of the verification process since this 
pin code is necessary for the "unlocking" of specific 
files containing sensitive information on the smart card. 
Thus the pin code must be hardcoded either in the soft- 
ware for the application which communicates with the 

2 5 card, or in some hardware in the unit where the card is 

read and written. Consequently no significant increase 
of the security is achieved despite the use of biometry 
since there is still a risk that someone may access the 
computer files with sensitive information on the card by 

3 0 transmitting the pin code to the card. 

Also in the case where the only action of the smart 
card is to generate a yes or no, it is necessary to en- 
crypt the information on the card to be able to guarantee 
that the yes/no that is transmitted is unique for each 
35 card or transmission. This causes the same problems as 
described above since the key for encryption must be 
stored somewhere. 
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A further problem is that the template with which 
the matching occurs must be read from the card into the 
external processor in which the comparison with the 
user's biometric data takes place. In the first place 
5 this is a security risk, and in the second place there 

are directives issued by computer security authorities in 
certain countries which recommend that a biometric tem- 
plate should never leave the smart card. 

One solution to the above problems is presented in 

10 Swedish Patent No. 8101707-1 which discloses an account 
card type data carrier which is provided with verifica- 
tion equipment comprising a sensor on which a user places 
one of his fingers. The sensor records papillary line in- 
formation from the user's finger and calculates an iden- 

15 tification bit sequence which is compared with a previ- 
ously stored reference bit sequence. If the bit sequences 
conform with each other, an acceptance signal is gene- 
rated, which can activate an indication means or a con- 
necting means which makes the data carrier useable. 

2 0 Although this solution eliminates the use of pin 

codes and lets the template remain on the card all the 
time, certain drawbacks still remain. For example, the 
card will be relatively expensive to make generally 
accessible to a large number of users since it contains 
25 a large number of components and must be specially made. 
Owing to the large number of components and the fact that 
all operations are effected on the card, also the prob- 
ability increases that the card will meet with interrup- 
tions. Furthermore it is difficult to protect the sensor 

3 0 on the card against external mechanical action. 

Summary of the Invention 

An object of the present invention therefore is to 
obviate, or at least alleviate, the above problems and to 
provide an alternative system for checking the right to 
35 access to sensitive information. 

According to the invention, this object is achieved 
by a system which has the features defined in appended 
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claim 1, preferred embodiments being stated in appended 
claims 2-10. The object is also achieved by a portable 
data carrier according to claims 11-12, a processing unit 
according to claims 13-18, and a method according to 
5 claims 19-27. 

More specifically, the invention concerns a system 
for checking the right to access to sensitive informa- 
tion, the check being based on current biometric data of 
a person whose right to access to the sensitive informa- 

10 tion is to be checked, the system comprising a portable 

data carrier comprising a memory containing the sensitive 
information, a signal processing means and a communica- 
tion means; and a processing unit, which is adapted to 
receive the current biometric data from the person, com- 

15 prising a memory, a signal processing means and a commu- 
nication means. The signal processing means of the pro- 
cessing unit is adapted to preprocess the current bio- 
metric data and to transfer the same to the signal pro- 
cessing means of the data carrier with the aid of the 

2 0 communication means, and the signal processing means of 

the data carrier is adapted to compare the received pre- 
processed biometric data with biometric reference data 
stored in advance in the memory of the data carrier to 
determine whether the right to access to the sensitive 
25 information exists. 

The expression "sensitive information" should in 
this context be interpreted in a very wide sense. The 
sensitive information may be information stored on the 
actual data carrier in the form of computer files; a 

3 0 "key" which makes it possible to use the data carrier, 

for example, to open a door of a room and give the user 
physical access to information of a type other than that 
which can be stored on the actual data carrier; and dif- 
ferent types of so-called digital certificates. By bio- 
35 metric data is meant data representing an individual- 
specific characteristic of an individual. Examples of 
such data can be the pattern of the individuals fingers, 
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palm, iris or voice. The data carrier on which the sen- 
sitive information is stored may exist in a large number 
of different embodiments. The only common features that 
are necessary between the different embodiments are that 
5 it should contain a memory, a signal processing means, 
such as a processor, an FPGA (Field Programmable Gate 
Array) or an ASIC (Application Specific Integrated Cir- 
cuit) , and a communication means with the aid of which it 
can communicate with an external processing unit. For the 

10 data carrier to be usable in as many situations as pos- 
sible, it is important for it to be portable, i.e. that a 
user should be able to carry the data carrier in a simple 
way without requiring any additional aids. 

According to the invention, the data carrier thus is 

15 intended for use together with a processing unit contain- 
ing a signal processing means, which is adapted to pre- 
process current biometric data of the person who on a 
certain occasion uses the data carrier together with the 
processing unit to gain access to the sensitive informa- 

2 0 tion. The term preprocessing thus is here used in a wide 
sense and intends to comprise all types of signal proces- 
sing on the current biometric data, which has for its 
purpose to extract a sufficient amount of information 
from the current biometric data to be able to make a safe 

25 comparison with prestored biometric reference data in the 
memory of the data carrier. The signal processing means 
of the data carrier is further adapted to make this com- 
parison. By current biometric data is meant that the user 
must present the biometric data to the system on each 

30 occasion when he wishes to gain access to the sensitive 
information. 

By making the check of the right to access on the 
data carrier, no pin code need be generated in the pro- 
cessing unit and transferred to the data carrier. The 
35 preprocessed biometric data is transferred instead, which 
is much more difficult to counterfeit since it is more 
complex than an ordinary pin code. 
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Owing to the preprocessing in the external proces- 
sing unit, the data carrier can be of an inexpensive 
standard type, such as a Java card or a MULTOS card, and 
need not be specially made and contain a large number 
5 of components, which is the case of prior art. Only the 
operating system on the data carrier has access to the 
biometric reference data and other sensitive information 
stored thereon. This also implies that the biometric 
reference data in the memory of the data carrier need not 

10 leave the data carrier to be compared with the preproces- 
sed biometric data. The final decision whether the right 
to access to the sensitive information exists or not is 
thus made by the operating system on the actual data car- 
rier. This, too, causes a further increase of security. 

15 According to a preferred embodiment, the preproces- 

sed biometric data and the biometric reference data con- 
sist of digital representations of an individual -specific 
parameter. By a digital representation of an individual - 
specific parameter is meant a recording in digital form 

20 of a body-related characteristic which somehow is unique 
for an individual. Examples of this are a digital image 
of the pattern on the individual's fingers, palm, iris, 
or a frequency spectrum of the individual's voice, or 
some other kind of representation of a unique character- 

25 istic related to the individual's body. 

Preferably, the digital representations consist of 
digital images. The digital images can be recorded by 
means of an optical sensor, a capacitive sensor, or in 
some other way. The main thing is that the individual - 

30 specific information is recorded in the digital image. 
The advantage of using digital images is that they can 
quickly and easily be recorded and easily be processed 
in different ways. 

In the case where a digital image constitutes the 

35 digital representation, the signal processing means of 

the processing unit is advantageously, in the preproces- 
sing, adapted to perform a binarisation of the digital 
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image which represents the current biometric data. Each 
pixel in the digital image which represents the current 
biometric data has a colour or grey scale value. The 
binarisation implies that the colour or grey scale values 
5 of the pixels are compared with a threshold value. If the 
value of the pixel is greater than the threshold value, 
it is converted into white, and if it is smaller than 
the threshold value, it is converted into black or vice 
versa. Through this binarisation, the data quantity in 

10 the digital image decreases significantly since black and 
white can be represented by only one bit each instead of 
a larger number of bits, which is required for a pixel 
that is grey or has some other colour. Simultaneously, 
the contours of the image are essentially retained, which 

15 represent the biometric data which is specific to the 
user. The threshold value with which the pixels of the 
digital image are compared can either be the same for all 
pixels, or vary between different parts of the digital 
image . 

20 The purpose of reducing the data quantity in the 

original digital image in the preprocessing as described 
above is to obtain a digital image containing a suffi- 
cient data quantity to enable a safe comparison on the 
data carrier. At the same time this comparison should not 

25 require too much time. 

In a preferred embodiment of the invention, the sig- 
nal processing means of the data carrier is adapted to 
carry out a two-dimensional comparison of at least a par- 
tial area of the biometric reference data and at least a 

30 partial area of the preprocessed biometric data. By a 

two-dimensional comparison is meant that the signal pro- 
cessing means directly compares areas of the preprocessed 
biometric data and in the reference data. As a result, no 
reference point or similar aid need be used in the com- 

3 5 parison. To reduce the time expenditure in this compari- 
son, use is advantageously made of partial areas of the 
two images. A partial area of the image containing the 
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digital reference data is compared successively with 
different partial areas of the preprocessed image until 
sufficient correspondence between the partial areas is 
achieved. Subsequently, additional partial areas of the 
5 representation of the digital reference data are compared 
with the preprocessed biometric reference data until a 
predetermined comparison criterion has been satisfied. 
The comparison criterion may vary between different 
applications, and if it is not satisfied, the biometric 

10 reference data is not considered to correspond with the 
current biometric data. The partial areas used in the 
comparison may vary in size, form and position. The 
important thing is that they are selected in such manner 
that the individual-specific information in the areas 

15 will be maximal. 

In the case where the digital representation has 
a format other than a digital image, the preprocessing 
and the comparison will, of course, be different from 
the processing and comparison described above. Just as 

2 0 described above, however, the purpose of the preprocess- 

ing is to reduce the data quantity in the original digi- 
tal representation to obtain a digital representation 
containing a sufficient data quantity to enable a safe 
comparison on the data carrier. 
25 In one more embodiment, the signal processing means 

of the data carrier is further adapted to determine, in 
case of correspondence between the preprocessed biometric 
data and the biometric reference data, which operations 
the processing unit is allowed to perform on the sensi- 

3 0 tive information. When the preprocessed biometric data 

has once been transferred from the processing unit to 
the data carrier, the signal processing means of the data 
carrier thus first makes the final check without involv- 
ing the signal processing means of the processing unit. 
3 5 If, in this check, it is found that the preprocessed bio- 
metric data and the biometric reference data correspond 
with each other, the signal processing means of the data 
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carrier grant the processing unit certain rights as to 
which operations it is allowed to perform on the sensi- 
tive information. These operations can be, for example, 
merely reading sensitive information from the memory of 
5 the data carrier, making changes in the existing sensi- 
tive information in the memory of the data carrier, sup- 
plying additional sensitive information to the memory of 
the data carrier, or various combinations of the above 
operations . 

10 In the presently most preferred embodiment, the 

current biometric data consists of a fingerprint, which 
enables a simple recording process. 

According to another aspect, the memory of the data 
carrier may also preferably contain feature reference 

15 data. If a lower security level and a higher verification 
speed are desired, feature data can instead be used to 
verify the user's right to use the card. The comparison 
of features in fingerprints is well known in the art, and 
this verification process can be designed by a person 

2 0 skilled in the art in a manner that is appropriate for 

the application at issue. 

With a view to increasing the verification speed 
while at the same time maintaining a high security level, 
the signal processing means of the processing unit is 
25 preferably adapted to extract, in the preprocessing, fea- 
tures from the fingerprint and compare these with feature 
reference data that has been transferred from the data 
carrier to the processing unit. As a result, the higher 
capacity of the signal-processing device in the process- 

3 0 ing unit can be utilised. The comparison of feature data 

that is made in the preprocessing may serve various pur- 
poses. For instance, by comparing the features it is 
possible to determine the rotation as well as the trans- 
lation of the current fingerprint relative to the refe- 
35 rence fingerprint. This results on the one hand in 

improved security and, on the other hand, quicker veri- 
fication since fewer combinations of rotation and trans- 
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lation need be examined on the data carrier. This veri- 
fication process can thus be said to constitute a type of 
"hybrid matching" in which on the one hand a traditional 
comparison of feature data from the fingerprint is ef-. 
5 fected and, on the other hand, a two-dimensional compar- 
ison of partial areas of the digital images is effected. 

The data carrier is a standard type smart card, for 
example a Java or MULTOS card, i.e. simple, inexpensive 
types of data carrier which are easy to adjust to dif- 

10 ferent applications and are easy for a user to carry. A 
standard type smart card containing data about a certain 
user can thus be used in many different situations since 
it is just standardised and since the operating system 
on the card handles the files so that the handling of 

15 the files is independent of the application for which 
the card is used, which is not the case with the prior 
art data carriers described above. 

According to another aspect of the invention, it 
comprises a portable data carrier having a memory which 

20 contains sensitive information, a signal processing means 
and a communication means. The communication means of the 
data carrier is adapted to receive preprocessed biometric 
data from a processing unit and to transfer the same to 
the signal processing means, which is adapted to compare 

25 the received preprocessed biometric data with biometric 
reference data stored in the memory. 

Thus the data carrier is adapted to receive pre- 
processed biometric data. The data received by the data 
carrier can represent different individual -specif ic para- 

3 0 meters, for instance of the type described above, and can 
have different formats. The received biometric data must 
be some type of data which is preprocessed in a proces- 
sing unit. It is not sufficient, for example, to place 
one's finger on the data carrier, but the biometric data 

3 5 must be accessible in an electronically readable format. 
The preprocessing, however, can be more or less exten- 
sive, and the format of the preprocessed data may vary to 
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a great extent depending on the application at issue. The 
decisive factor for which type of preprocessed data can 
be received by the data carrier is that it must be of the 
same type as the biometric reference data stored in the 
5 memory of the data carrier, and that the data carrier 
must have sufficient capacity to be able to at least 
perform the comparison with the biometric data stored in 
the memory of the data carrier. 

In a preferred embodiment of the data carrier, the 

10 signal processing means is adapted to compare the pre- 
processed biometric data with the biometric reference 
data by comparing digital representations of an indi- 
vidual-specific parameter. The advantage of using digital 
representations is evident from the above discussion in 

15 connection with the description of the system. The digital 
representations preferably consist of digital images. 

According to one more aspect of the invention, it 
comprises a processing unit for checking the right to 
access to sensitive information stored on a portable data 

2 0 carrier, said check being based on current biometric data 
of an individual, the processing unit comprising a mem- 
ory, a signal processing means and a communication means. 
The signal processing means of the processing unit is 
adapted to preprocess biometric data of the individual 

2 5 and transfer this to the data carrier via the communica- 

tion means. A number of different types of preprocessing 
can be carried out depending on the type of current bio- 
metric data supplied by the individual. However, the 
purpose is always to reduce the amount of information in 

3 0 the recorded current biometric data so as to give it a 

format that allows a transfer to the data carrier and a 
final comparison on the same. The processing unit can be 
any type of unit having a memory, a signal processing 
means and a communication means, and advantageously con- 
35 sists of a computer. 

Moreover, the processing unit can be equipped with a 
sensor for recording current biometric data of the indi- 
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vidual in the form of a digital representation, such as 
a digital image. Thus, no additional equipment need be 
connected to the processing unit, which means that the 
recording and preprocessing can be integrated so that 
5 the process from the recording of the user's biometric 
data up to and including the transfer to the portable 
data carrier will be quick. Furthermore also security 
increases since current biometric data need not be trans- 
ferred between a special recording unit and the proces- 

10 sing unit. The sensor can also be better protected 

against mechanical action compared with the case where 
it is arranged on the actual data carrier. 

Preferably, the current biometric data is a finger- 
print and the signal processing means of the processing 

15 unit is adapted to extract, in the preprocessing, fea- 
tures from the fingerprint and compare these with feature 
reference data that has been transferred from the data 
carrier to the processing unit. The purpose of this com- 
parison of features is apparent from the above discussion 

20 in connection with the system. 

According to a last aspect of the invention, it com- 
prises a method of checking, based on current biometric 
data of a person, the right to access to sensitive infor- 
mation stored on a portable data carrier. The method com- 

25 prises the steps of 

- preprocessing the current biometric data in a pro- 
cessing unit; 

- transferring the preprocessed biometric data to 
the data carrier; 

3 0 - comparing on the data carrier the preprocessed 

biometric data with biometric reference data stored on 
the data carrier; and 

- in case of correspondence between the preprocessed 
biometric data and the biometric reference data, granting 

35 the person the right to access to the sensitive informa- 
tion. 
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Preferred variants of this method are presented in 
claims 20-27. These methods result in the same advantages 
as have been mentioned above in the discussion of the 
system, the data carrier and the processing unit. 
5 Brief Description of the Drawings 

The invention will now be described in more detail 
by way of an embodiment with reference to the enclosed 
schematic drawings . 

Fig. 1 is a schematic drawing showing a system 
10 according to the invention. 

Fig. 2 is a block diagram showing a method according 
to the invention for recording biometric reference data 
on a data carrier. 

Fig. 3 is a block diagram showing a method according 
15 to the invention for checking the right to access to sen- 
sitive information stored on a data carrier. 
Description of Preferred Embodiments 

Fig. 1 is a schematic view of a system according to 
the invention, which consists of a data carrier 1 in the 

2 0 form of a smart card and a processing unit 2, which in 

this case is a computer. The smart card 1 is an ordinary 
standard type card, for instance a Java or MULTOS card, 
and has a communication means 3 which is adapted to com- 
municate with a communication means 4 in the computer 2. 
25 The smart card 1 further has a signal -processing unit in 
the form of a processor 5 and a memory 6 . The memory 6 
contains sensitive information on the one hand in the 
form of computer files to which the person using the sys- 
tem wishes to gain access and, on the other hand, in form 

3 0 of a template which consists of biometric reference data 

of the user. The template consists of a preprocessed 
digital representation in the form of a digital image, 
and it will be described below in connection with Fig. 2 
how this image is generated. In addition to the sensitive 
3 5 information and the template, the memory 6 also contains 
software which the processor 5 uses to compare the pre- 
processed image of the user's biometric data, which has 
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been transferred from the computer 2 to the smart card 1, 
and the template. 

The computer 2 comprises a signal processing means or 
a processor 7, which is used in the preprocessing of the 
5 user's biometric data. The biometric user data is recorded 
by means of a sensor 8, which in this embodiment consists 
of a capacitive sensor. However, also other known types of 
sensors can be used that can record fingerprints, such as 
heat sensors, or optical sensors. The sensor 8 is connect- 

10 ed to the processor 7 and to a memory 10, in which soft- 
ware is stored for the preprocessing of the biometric data 
that the processor 7 carries out. The computer 2 also com- 
prises circuits 11 for external communication with other 
units. The communication between the different units in 

15 the computer 2 and on the smart card 1, respectively, 
occurs via a data bus (not shown) . 

For a comparison to be made on the card 1, it is 
necessary to produce a template with which the user's 
biometric data can be compared each time a verification 

20 of the right to access to the sensitive information on 
the card 1 need be made. A description how this is done 
follows below. 

Fig. 2 is a block diagram showing how a template and 
sensitive information are recorded and stored on the data 

2 5 carrier or smart card 1. In step 20, an image of the 

user's finger is recorded by means of the sensor 8 in the 
computer 2 . The result of the recording is a digital 
image in grey scale which represents the user's finger- 
print. In step 21, this digital image is preprocessed so 

30 as to generate a template. This preprocessing can be car- 
ried out in many ways, one of which will be described 
below. 

First, a check of the image quality of the finger- 
print is carried out. Among other things, it is checked 
35 whether the user has applied his finger with sufficient 
pressure on the sensor 8 and so that any moisture on the 
user's finger has not made it impossible for the sensor 



WO 01/11577 



PCT/SE00/01472 



16 

8 to distinguish between "crests" and "troughs" on the 
finger. If the quality of the image is insufficient, the 
user is requested to correct the deficiencies in a suit- 
able manner. 

5 When a digital image in grey scale of sufficient 

quality has been recorded by the sensor 8, a binarisa- 
tion of the image occurs. The binarisation implies that 
the pixels of the image are compared with a grey scale 
threshold value. The pixels which have a value smaller 

10 than the grey scale threshold value are converted to 
white and those having a value greater than the grey 
scale threshold value are converted to black. The grey 
scale threshold value can be the same for the entire 
image or vary between different parts of the image. The 

15 binarisation algorithm can further be refined, so that 
the pixels are compared with the surroundings, so as to 
prevent, for example, individual pixels from being white 
if all the surrounding pixels are black. This adaptation 
is easily carried out by a person skilled in the art. 

20 After the binarisation, a number of areas of the 

image are selected to be stored in the form of a tem- 
plate. One of the areas is selected to be positioned 
fairly central in the image, and the others, the number 
of which usually varies between four and eight depend- 

25 ing on the desired security level, may have varying 

positions relative to the central area. The size of the 
selected areas is in this embodiment 48 x 48 pixels, but 
can easily be adjusted by a person skilled in the art 
according to the existing requirements. The size and 

3 0 position of the various areas are selected so as to com- 
prise as much individual -specif ic information as pos- 
sible. For instance, areas with curved lines are of 
greater interest than areas with straight parallel lines. 
Subsequently the template is transferred from the 

35 computer 2 via the communication circuits 3 , 4 to the 
memory 6 of the smart card 1 in step 22. When the tem- 
plate has been transferred, sensitive information can 
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also be transferred from the computer 2 and stored in 
the memory 6 of the smart card 1, step 23, if desired. 
The recording of templates for the card owner is made 
only once. The sensitive information can, however, be 
5 replaced when necessary. 

Fig. 3 shows a verification process when a user wants 
to get hold of the sensitive information stored on the 
smart card 1. First he places his smart card 1 in a card 
reader either directly in the computer 2 or in a separate 

10 card reader communicating with the computer 2. He then 

places his finger on the sensor 8 and a digital image is 
recorded in step 3 0 in the same way as described above. 
The image is preprocessed in the computer 2 in step 31 in 
the same way as in the recording of the template, except 

15 that no partial areas are selected, so that otherwise it 
has the same format as the template stored on the smart 
card 1. Subsequently, the preprocessed image is transfer- 
red to the smart card 1 via the communication circuits 
3, 4 where it is matched with the template, step 32. In 

2 0 the matching, the central partial area of the template 

"sweeps 11 over the preprocessed image and in every position 
a comparison is carried out pixel by pixel. If a pixel in 
the template corresponds with a pixel in the preprocessed 
image, a given value, for example 1, is added to a sum. If 
25 the pixels do not correspond, the sum is not increased. 
When the central partial area of the template has swept 
over the entire preprocessed image, a position is obtain- 
ed, where the central partial area of the template best 
overlaps a partial area of the preprocessed image. 

3 0 Next, the remaining partial areas of the template 

are matched with the preprocessed image at issue. This 
matching is less time-consuming since an approximate 
position of the remaining partial areas is already known 
from the recording occasion for the template. When the 
35 pixels in the remaining partial areas of the template 

have been compared with corresponding areas of the pre- 
processed image, a total match value between 0% (i.e. no 
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match at all) and 100% (i.e. exact match) is obtained. 
This match value is compared with a predetermined thresh- 
old value, step 33. A more exhaustive description of the 
recording of templates and the verification is to be 
5 found in Applicant's International Patent Application 
No. PCT/SE99/00553 . 

If the degree of correspondence between the prepro- 
cessed image and the template is lower than the threshold 
value, step 33, the smart card returns a signal to the 

10 computer 2 in step 34, which refuses the user access to 
the sensitive information on the smart card 1, whereupon 
the process is ended. If, on the other hand, the template 
and the preprocessed image correspond with each other, 
the processor 5 of the smart card 1 unlocks the files 

15 containing sensitive information, step 35. Then the com- 
puter 2 gets access to this information, step 36, and 
this and other sensitive information can be exchanged 
between the two units. 

Although a special embodiment of the invention has 

20 been described above, it is obvious to those skilled in 
the art that many alternatives, modifications and varia- 
tions are feasible in the light of the above description. 
For example, a reference point can be located in the 
verification to achieve a quicker comparison between the 

25 images, and the areas of the image that are selected to 

be matched can be selected on the basis of other criteria 
than those described above. Quite different types of bio- 
metric data can also be used, such as the user's voice 
and a digital representation thereof in the form of a 

30 frequency spectrum. Therefore the invention is consider- 
ed to comprise all such alternatives, modifications and 
variations that are within the scope of the appended 
claims . 
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CLAIMS 

1 . A system for checking the right to access to sen- 
5 sitive information, the checking being based on current 

biometric data of a person whose right to access to the 
sensitive information is to be checked, the system com- 
prising 

- a portable data carrier (1) comprising a memory 
10 (6) containing the sensitive information, a signal pro- 
cessing means (5) and a communication means (3) ; and 

- a processing unit (2) , which is adapted to receive 
the current biometric data from the person, comprising a 
memory (10) , a signal processing means (7) and a communi- 

15 cation means (4) ; 

characterised in 

that the signal processing means (7) of the process- 
ing unit (2) is adapted to preprocess the current bio- 
metric data and to transfer the same to the signal pro- 

2 0 cessing means (5) of the data carrier (1) with the aid 
of the communication means (3, 4); and 

that the signal processing means (5) of the data 
carrier (1) is adapted to compare the received prepro- 
cessed biometric data with biometric reference data 

25 stored in advance in the memory (6) of the data carrier 
(1) to determine whether the right to access to the sen- 
sitive information exists. 

2. A system as claimed in claim 1, wherein the pre- 
processed biometric data and the biometric reference 

30 data consist of digital representations of an individual - 
specific parameter. 

3. A system as claimed in claim 2, wherein the digi- 
tal representations consist of digital images. 

4. A system as claimed in claim 3, wherein the sig- 
35 nal processing means (7) of the processing unit (2) is, 

in the preprocessing, adapted to perform a binarisation 
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of the digital image representing the current biometric 
data . 

5 . A system as claimed in any one of the preceding 
claims, wherein the signal processing means (5) of the 

5 data carrier (1) is adapted to perform a two-dimensional 
comparison of at least a partial area of the biometric 
reference data and at least a partial area of the pre- 
processed biometric data. 

6. A system as claimed in any one of the preceding 
10 claims, wherein the signal processing means (5) of the 

data carrier (1) is further adapted to determine, in case 
of correspondence between the preprocessed biometric data 
and the biometric reference data, which operations the 
processing unit (2) is allowed to carry out on the sen- 
15 sitive information. 

7. A system as claimed in any one of the preceding 
claims, wherein the current biometric data is a finger- 
print . 

8. A system as claimed in claim 7, wherein the memo- 
20 ry (6) of the data carrier (1) further contains feature 

reference data of a fingerprint. 

9. A system as claimed in claim 8, wherein the sig- 
nal processing means (7) of the processing unit (2) is 
further adapted to extract, in the preprocessing, fea- 

2 5 tures from the fingerprint and compare the same with 

feature reference data which has been transferred from 
the data carrier (1) to the processing unit (2) . 

10. A system as claimed in any one of the preceding 
claims, wherein the data carrier (1) is a smart card. 

30 11. A portable data carrier (1) comprising a memory 

(6) containing sensitive information, a signal processing 
means (5) and a communication means (3), charac- 
terised in 

that the communication means (3) of the data carrier 

35 (1) is adapted to receive preprocessed biometric data 

from a processing unit (2) and transfer the same to the 
signal processing means (5) ; 
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that the signal processing means (5) is adapted to 
compare the received preprocessed biometric data with 
biometric reference data stored in the memory (6) . 

12. A portable data carrier (1) according to claim 

5 11, wherein the signal processing means (5) is adapted to 
compare the preprocessed biometric data with the bio- 
metric reference data by comparing digital representa- 
tions of an individual -specific parameter. 

13. A processing unit (2) for checking the right to 
10 access to sensitive information stored on a portable data 

carrier (1) , said checking being based on current bio- 
metric data of a person, the processing unit (2) com- 
prising a memory (10) , a signal processing means (7) and 
a communication means (4) , 

15 characterised in 

that the signal processing means (7) of the pro- 
cessing unit (2) is adapted to preprocess the current 
biometric data and transfer the same to the data carrier 
(1) via the communication means (4) . 

20 14 . A processing unit (2) as claimed in claim 13, 

wherein the signal processing means (7) is further adapt- 
ed to perform operations on the sensitive information, 
based on rights assigned to the processing unit (2) by 
the data carrier (1) . 

25 15. A processing unit (2) as claimed in any one of 

claims 13-14, wherein the processing unit (2) is further 
provided with a sensor (8) for recording current bio- 
metric data of the person in the form of a digital repre- 
sentation . 

30 16. A processing unit (2) as claimed in claim 15, 

wherein the digital representation is a digital image. 

17. A processing unit (2) as claimed in claim 16, 
wherein the signal processing means (7) in the prepro- 
cessing is adapted to carry out a binarisation of the 

35 digital image which represents the current biometric 
data . 
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18. A processing unit (2) as claimed in any one of 
claims 13-17, wherein the current biometric data is a 
fingerprint and the signal processing means (7) further 
is adapted to extract, in the preprocessing, features 

5 from the fingerprint and compare the same with feature 
reference data which has been transferred from the data 
carrier (1) to the processing unit (2) . 

19. A method of checking, based on current biometric 
data of a person, the right to access to sensitive infor- 

10 mation stored on a portable data carrier (1) , char- 
acterised by the steps of 

preprocessing the current biometric data in a pro- 
cessing unit (2) ; 

transferring the preprocessed biometric data to the 
15 data carrier (1) ; 

comparing on the data carrier (1) the preprocessed 
biometric data with biometric reference data stored on 
the data carrier (1) ; and 

in case of correspondence between the preprocessed 
2 0 biometric data and the biometric reference data, granting 
the person the right to access to the sensitive infor- 
mation. 

20. A method as claimed in claim 19, further com- 
prising the step of 

25 determining, with the aid of the signal processing 

means (5) of the data carrier (1) , which operations the 
processing unit (2) is allowed to perform on the sensi- 
tive information in case of correspondence between the 
preprocessed biometric data and the biometric reference 

30 data. 

21. A method as claimed in any one of claims 19-20, 
further comprising the step of 

recording current biometric data of a person by 
means of the processing unit (2) . 
35 22 . A method as claimed in any one of claims 19-21, 

wherein the step of comparing the transferred preproces- 
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sed biometric data with biometric reference data com- 
prises the step of comparing two digital representations. 

23. A method as claimed in any one of claims 19-22, 
wherein the digital representations are digital images. 
5 24. A method as claimed in claim 23, wherein the 

step of preprocessing the current biometric data in a 
processing unit (2) comprises the step of binarising 
the digital image which represents the current biometric 
data . 

10 25. A method as claimed in any one of claims 19-24, 

wherein the step of comparing the preprocessed biometric 
data with biometric reference data comprises the step of 

carrying out a two-dimensional comparison of at 
least a partial area of the biometric reference data and 

15 at least a partial area of the preprocessed biometric 
data . 

26. A method as claimed in any one of claims 19-25, 
wherein the current biometric data is a fingerprint. 

27. A method as claimed in claim 26, further com- 
20 prising the steps of 

transferring feature reference data from the data 
carrier (1) to the processing unit; and 

extracting, in the preprocessing, features from the 
fingerprint and comparing the same with the feature ref- 
25 erence data. 
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